If the ports are disabled via BIOS, there's no way, simply because Windows absolutely can't see the USB drive.
Also disabling USB support via Device manager or group policy, as far as I know, prevents infection from USB, but can't assure that an already present virus can infect the USB drive inserted. This kind of disabling is software and re-enabling can be done by software.

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

IntelliAdmin USBDisabler uses group policies to disable USB support. This means that a code present on a USB drive can't be executed unless some code present on the PC tamper the protection. So very likely you'll not get a virus from USB, but you may get from other source and then put it on the USB drive. I think is an acceptable solution.

PS: From my understanding of the registry change that IntelliAdmin USBDisabler applies it prevents Windows from loading the drivers to support the USB device. If this is the case then Windows will not be able to properly initialise the device and will be unabel to access the file system. This means that any driver expolits will fail and autorun-style viruses will never be loaded. This would also have prevented the recent icon handler exploit where simply looking at the drive in Windows Explorer was enough to compromise the system.

wow wow, If your PC had AV, then what's the problem. USB drives are scanned, well should be. Mcafee, AVG and many others will do this.
Also, most or ALL anti-viruses scan on file open. so your be covered.

Now the downfall is if the virus is so new that you AV doesn't know about it. But if someone really wanted to execute a virus on your system they could by having a bootable USB virus that would bypass any system software you install, so BIOS is the only true way to do this.

Just a quick note: the risk of booting another OS from a USB device can be mitigated by fixing the boot order and password-protecting the BIOS. How much protection this offers though is still questionable if you cannot physically secure the machine. You might want to look at full disk encryption (sometimes called On-The-Fly encryption) which should help further mitigate the risk of physical tampering.

I am afraid at the end of the day you have to make a choice between security, convenience and cost.

Featured Post

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite. Learn more about what this means for you and how you can improve your security with WatchGuard today!